Roberto Franceschetti wrote:
> I'm having some issues authenticating iOS clients (with FreeRADIUS v2.1.10
> installed on a Ubuntu server) with EAP-TLS when the username contains a
> domain name in the form of Domain\Username (the account is in Active
> Directory).
>
> I think the issue is caused by the fact that the final Access-Accept reply
> has the backslash after the domain name escaped, so that the output looks
> like this:
>
> Sending Access-Accept of id 171 to 172.27.28.84 port 32769
> User-Name = "ocg\\cmctrf3"
>
> instead of containing the original, un-escaped domain\username:
>
> Sending Access-Accept of id 171 to 172.27.28.84 port 32769
> User-Name = "ocg\cmctrf3"
No.
The escaping is done when the string is *printed*. It sends just one
'\' in the Access-Accept. Use wireshark to check.
> Mine is just a theory, but I cannot verify it until I figure out how to have
> the un-escaped ocg\cmctrf3 string being sent in the output instead of the
> current escaped one. So my question is "how do I cause the User-Name to be
> send un-escaped? Do I make a change in the clients.con file...? The eap.conf
> file...? If so, under which section and where..? Sorry for what may look like
> a dumb question, but I could not find this mentioned anywhere else.
You don't "unescape" anything. The server sends the correct
User-Name. It Does the Right Thing.
> As a side-note, if I omit the domain name in the iOS device and just login
> with the username "cmctrf3" for example, the iPhones/iPads are able to login
> without problems. The issue only occurs when the domain name appears before
> escaped. All other devices (Windows and Mac desktops) seem to be able to get
> past that escaped sequence without problems.
So the issue is the domain name. NOT the escaping. You THINK it's
the escaping, but you're not really sure.
> Below is a blurb showing the debug output. I do see the un-escaped
> ocg\cmctrf3 being logged,
No. That's a debug message, which isn't logging, and doesn't affect
anything.
> Login OK: [ocg\\cmctrf3] (from client 172.27.28.84 port 29 cli
> f0-cb-a1-2b-61-4d)
> # Executing section post-auth from file /etc/freeradius/clients.conf
> +- entering group post-auth {...}
> ++[exec] returns noop
> } # server lwap-clients
> Sending Access-Accept of id 171 to 172.27.28.84 port 32769
> MS-MPPE-Recv-Key =
> 0x15c9ba070e3579e43c54314c24e7e09f4753c779e4e013b4bbd080a2cab4bbb2
> MS-MPPE-Send-Key =
> 0x4f27c90c8fdf27be122e70c2c4d82bebd65797dafebe2ebb4ca91bedfd244cb5
> EAP-Message = 0x030a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "ocg\\cmctrf3"
Well... if the server is sending Access-Accept and the user doesn't
get online... nothing is going wrong with FreeRADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
